Tomcat security specifications (tomcat security reinforcement and specifications)

tomcat is an open source web server. The web based on Tomcat has high running efficiency and can run smoothly on general hardware platforms. Therefore, it is quite popular among webmasters. However, under the default configuration, it has certain security risks and can be attacked maliciously. Here are some security enhancements:

Version security

Upgrade to the latest stable version. For stability reasons, cross-version upgrades are not recommended.

Service demotion

Do not use the root user to start Tomcat. Use a normal user to start Tomcat. The user name in the cluster is unified with UID

Port protection

1 Change the tomcat management port 8005. This port has the authority to shut down the tomcat service, but the port must be configured between 8000 and 8999, and change the shutdown command.
2 If Tomcat is placed in the intranet, the listening address for the Tomcat service is the intranet address.
3 Modify the default ajp 8009 port to be less likely to conflict (greater than 1024), but require the port to be configured between 8000 and 8999

Disable the management terminal

1 Delete the default $CATALINA_HOME/conf/tomcat-users.xml file and restart Tomcat to automatically generate a new file
2 Delete all the default directories and files downloaded from $CATALINA_HOME/webapps
3 Configure the Tomcat application root directory to a directory other than the Tomcat installation directory

Hide Tomcat version information

The display of this information is controlled by a jar package, which is stored in the $CATALINA_HOME/lib directory and is named catalina.jar.
Decompressing the jar package with the jar xf command will yield two directories: META-INF and org.
Modify the serverinfo field in the org/apache/catalina/util/ServerInfo.properties file to change the version information of our tomcat

Disable automatic war deployment

By default, Tomcat enables hot deployment of war packages. In order to prevent the implantation of Trojans and other malicious programs, we need to turn off automatic deployment.

Modify the instance:

<Host name="localhost" appBase=""
unpackWARs="false" autoDeploy="false">

Custom error pages

Edit conf/web.xml and add the following content above the </web-app> tag:

<error-page>
  <error-code>404</error-code>
  <location>/404.html</location>
</error-page>
<error-page>
  <error-code>500</error-code>
  <location>/500.html</location>
</error-page>

Shield directory files from being automatically listed

Edit the conf/web.xml file

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
    </init-param>
    <init-param>
      <param-name>listings</param-name>
      <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
 
<param-value>false</param-value>

Here false means not to list, true means to allow listing

Multiple virtual hosts

It is strongly recommended not to use Tomcat's virtual hosts, and it is recommended to use one instance per site. That is, you can start multiple Tomcats instead of starting one Tomcat containing multiple virtual hosts.
Because Tomcat is multi-threaded and shares memory, a crash in any application in a virtual host will affect all applications. Although using multiple instances will incur excessive overhead, it at least ensures the isolation and security of the application.

Script permission recovery

Control the executable permissions of start.sh, catalina.sh, and shutdown.sh in the CATALINAHOME/bin directory
chmod −R744 CATALINA_HOME/bin/*

Separate Tomcat and project users

To prevent Tomcat from being implanted into the web shell program, you can modify the project file. Therefore, we need to separate Tomcat from the project owner, so that even if it is hacked, it will not be able to create and edit project files.

Server head rewrite

Add server configuration server="server_name" to the HTTP Connector configuration. The default is Apache-Copyote/1.1
Limit the IP source of access through configuration

<Host name="localhost" appBase="/data/www/tomcat_webapps" unpackWARs="true" autoDeploy="false">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.10,192.168.1.30,192.168.2.*" deny=""/>
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="www.test.com,*.test.com" deny=""/>
</Host>

Access log format specification <br /> Enable Referer and User-Agent records in the default access log of tomcat

Standard Configuration:

<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log"
suffix=".txt" pattern="%h %l %u %t &quot;%r&quot; %s %b %{Referer}i %{User-Agent}i %D"
resolveHosts="false" />

Tomcat disables illegal HTTP methods

Edit the configuration in the web.xml file

<init-param> of org.apache.catalina.servlets.DefaultServlet 
<param-name>readonly</param-name> 
<param-value>true</param-value> 
</init-param>

When param-value is true, delete and put operations are not allowed.

The tomcat user has remote management permissions <br /> In tomcat-users.xml, modify the role value of the tomcat user to include manager, such as:

<user username="tomcat" password="***"
roles="manager">

The automatic logout time of tomcat is no more than 30 seconds <br /> Edit server.xml and change the automatic logout time to 30 seconds, as follows:

<Connector 
port="8080" maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75", 
enableLookups="false" redirectPort="8443" acceptCount="100" 
connectionTimeout="30000" disableUploadTimeout="true" />

Tomcat should set the minimum and maximum number of connections based on machine performance and business needs.

Edit the server.xml file,

The example is as follows: <Connector port="8080" minSpareThreads="25" .../>
minSpareThreads="25" means that even if no one is using it, this many empty threads will be opened for waiting. Set the number of connections based on the actual situation.

Edit the server.xml file,
The example is as follows: <Connector port="8080" maxThreads="150"……/>
maxThreads="150" means that a maximum of 150 connections can be processed simultaneously. Configure the number of connections based on actual conditions.

Tomcat configuration access log <br /> Modify server.xml and uncomment the following content:

<Valve className="org.apache.catalina.valves.AccessLogValve" 
Directory=”logs” prefix=”localhost_access_log.” Suffix=”.txt” 
Pattern="common" resloveHosts="false"/>

Configure Tomcat error page redirection

Edit the web.xml file and modify it as follows:

<error-page> 
<error-code>404</error-code> 
<location>/noFile.htm</location> 
</error-page> 
………… 
<error-page> 
<exception-type>java.lang.NullPointerException</exception-type>
<location>/error.jsp</location> 
</error-page>

This is the end of this article. The editor of 123WORDPRESS.COM will share more knowledge with you later.